b'              Digital Identity: Opportunities\n                  for the Postal Service\n\n\n\n\n                               May 29, 2012\n\n\n\n\nPrepared by U.S. Postal Service Office of Inspector General\n            Risk Analysis Research Center\n            Report Number: RARC-WP-12-011\n\x0cU.S. Postal Service Office of Inspector General                                                     May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                           RARC-WP-12-011\n\n\n\n         Digital Identity: Opportunities for the Postal Service\n\n\n                                         Executive Summary\n\nAs a highly trusted, venerable government institution with both a legal mandate to\nprotect privacy and the authority to protect users from fraud, 1 the U.S. Postal Service is\nin a unique position to play a key part in a vital infrastructure for new digital identity\ncreation and authentication services. These new services would make transactions\nrequiring authentication of identity more convenient and secure than is possible with\ntoday\xe2\x80\x99s technologies. They would provide a foundation for new communications\napplications with an inherently high level of privacy for users, the digital equivalent of\nFirst-Class Mail\xc2\xae privacy protection.\n\nUse of such services would be entirely voluntary, with clear, comprehensible, and\nconcise privacy guidelines. The Postal Service could facilitate and build on existing joint\npublic-private sector initiatives, which are currently hindered by the inability to tie a\nuser\xe2\x80\x99s digital identity to a physical identity, such as a verifiable address. Although an in-\ndepth legal examination would be required to pursue such an authentication offering, a\nprevious U.S. Postal Service Office of Inspector General (OIG) Risk Analysis Research\nCenter (RARC) study suggests that current regulations pertaining to the Postal Service\nare likely to permit such ventures. 2\n\nToday\xe2\x80\x99s digital identities are primarily limited to attributes (descriptions of\ncharacteristics) provided by the end-user, which may be fact-based or fictional. This\nmakes them unfit for use with many applications that require authentication between a\ndigital identity and a real person, business, or entity. Further, some identity services\nmay expose sensitive information to identity providers in ways that the users are\nunaware of and would not agree to if given the choice. This dissuades some potential\nusers; more importantly, weaknesses in digital identity authentication serve to\ndiscourage or prohibit the introduction of some Internet services that otherwise could be\nbrought online, including some in the financial, health, and government sectors.\n\nThe current standard for digital identity \xe2\x80\x94 username and password \xe2\x80\x94 is inadequate for\nproviding appropriate security in many contexts. It is often compromised and leaves\nusers vulnerable to fraud. This has led to a fragmented system where users must keep\ntrack of numerous password-username combinations and visit different websites to\nnavigate the Internet. This standard, although expedient, is not consumer-friendly and\nwas not designed with consumer ease of use in mind.\n\n\n1\n Title 39 U.S. Code.\n2\n U.S. Postal Service Office of Inspector General, Bridging the Digital Divide: Overcoming Regulatory and\nOrganizational Challenges, Report No. RARC-WP-12-004, November 22, 2011,\nhttp://www.uspsoig.gov/foia_files/RARC-WP-12-004.pdf.\n\n\n                                                         i\n\x0cU.S. Postal Service Office of Inspector General                                                       May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                             RARC-WP-12-011\n\n\nSingle sign-on services, where one username and password combination can be used\non different websites through an intermediary (or \xe2\x80\x9ctrusted third party\xe2\x80\x9d), are simpler and\ngrowing in popularity but have significant limitations as currently applied. For example,\nsome large intermediaries, such as Google and Facebook, use their position to track\nusers\xe2\x80\x99 Internet activities and develop behavioral profiles. Further, while the services may\nauthenticate a user\xe2\x80\x99s profile, they may not be able to authenticate other attributes the\nuser ties to that profile \xe2\x80\x94 or indeed, prove that any of the attributes are real.\n\nSome single sign-on solutions utilize OpenID, from the OpenID Foundation, a nonprofit\norganization of individuals and companies committed to fostering OpenID technologies\nthat allow a single password managed by an \xe2\x80\x9cidentity provider\xe2\x80\x9d with strong security.\nWhile OpenID may ultimately develop and become a standard authentication tool, at\npresent, its technology leaves many users open to \xe2\x80\x9cphishing\xe2\x80\x9d 3 \xe2\x80\x94 where a user is\npersuaded to log-in to a malicious website impersonating an official web page \xe2\x80\x94 and\nother Internet fraud. And none of the options currently under consideration for OpenID\nnecessarily tie the user to real and verifiable attributes of identity, such as a physical\naddress.\n\nIn May 2012, the Federal Government\xe2\x80\x99s Chief Information Officer unveiled a new Digital\nStrategy emphasizing that government \xe2\x80\x9cmust ensure confidentiality, integrity, and\navailability by building security into digital government services.\xe2\x80\x9d 4 One obvious area for\nbuilding added security is the need for a trusted and neutral body to identify,\nauthenticate, and certify users in a straightforward manner that reduces sign-up friction\nand maintains privacy. Currently, there are several formal initiatives outside of OpenID\nto explore the use of digital identities by government agencies and to encourage an\ninteroperable standard for identity on the Internet. These include the National Strategy\nfor Trusted Identities in Cyberspace (NSTIC), a White House initiative with a mandate\n\xe2\x80\x9cto improve the privacy, security, and convenience of sensitive online transactions.\xe2\x80\x9d 5\nWhile the Postal Service is participating in some NSTIC discussions, it could play a far\nmore active role.\n\nThe Postal Service is in a strong position to help fill an important part of the digital\nauthentication gap. While the lifecycles of many Internet-related companies have been\nunpredictable, the Postal Service offers an institutional permanence. It has a powerful\nnationwide presence that is known for respecting and protecting individuals\xe2\x80\x99 privacy.\nThe Postal Service\xe2\x80\x99s significant tangible and intangible assets include its geographic\nreach and nationwide addressing system databases, including its Address Management\nSystem (AMS) and National Change of Address (NCOA) databases, which cover all\nresidences and businesses. Between its systems and its physical network of retail\nlocations and carrier services, the Postal Service has the right data, reach, and\ncustomer relationships to verify the link between citizens and their digital identities,\nmaking online transactions more secure. Such services could include in-person\n\n3\n  The risk of phishing is a problem shared by all of today\xe2\x80\x99s commonly used identity solutions.\n4                                    st\n  Digital Government: Building a 21 Century Platform to Better Serve the American People, Office of Management\nand Budget, http://www.whitehouse.gov/sites/default/files/omb/egov/digital-government/digital-government.html.\n5\n  National Strategy for Trusted Identities in Cyberspace, \xe2\x80\x9cAbout NSTIC,\xe2\x80\x9d http://www.nist.gov/nstic/about-nstic.html.\n\n\n\n                                                          ii\n\x0cU.S. Postal Service Office of Inspector General                                 May 29, 2012\nDigital Identity: Opportunities for the Postal Service                       RARC-WP-12-011\n\n\nauthentication at Post Offices or by carriers, an extension of the current U.S. Passport\nService offering.\n\nAuthentication is foundational: as noted in previous work by the OIG, it is a needed\nservice and could provide the base of a digital platform with many applications. These\napplications could be developed and offered either by the Postal Service alone or in\nconjunction with other government agencies, nonprofit organizations, private\nbusinesses, or a combination of these. Partnerships could provide an expedient way for\nthe Postal Service to become more involved in digital identity services, although care\nmust be taken to assure that any such offerings meet rigorous postal privacy guidelines.\n\nThe Postal Service is in a position to enhance an important part of the infrastructure for\nonline commerce by authenticating digital and physical identities. This will allow more\nconsumer-friendly applications involving sensitive information, thus facilitating new\neGovernment and eCommerce opportunities while securing important privacy\nprotections for all users.\n\n\n\n\n                                                         iii\n\x0cU.S. Postal Service Office of Inspector General                                                                     May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                                           RARC-WP-12-011\n\n\n                                                  Table of Contents\nIntroduction ..................................................................................................................... 1\n\nBackground ..................................................................................................................... 2\n          Identity, Authentication, and Attributes ................................................................. 2\n          A Trust Framework and Its Components .............................................................. 3\n\nExisting Digital Authentication Solutions ......................................................................... 4\n          Passwords ............................................................................................................ 4\n          Corporate Single Sign-On Services ...................................................................... 5\n          OpenID ................................................................................................................. 6\n\nPilot Projects for a Digital Identity Ecosystem ................................................................. 7\n          The National Strategy for Trusted Identities in Cyberspace\n          Initiative ................................................................................................................ 8\n          Open Identity Exchange ....................................................................................... 8\n          International Posts and Secure Identity Across Borders Linked ........................... 9\n\nFeatures of the Digital Identity Ecosystem ...................................................................... 9\n          Verification of Real-World Attributes ..................................................................... 9\n          Transparent Privacy Policies .............................................................................. 10\n          Neutrality ............................................................................................................ 11\n          Personal Choice ................................................................................................. 12\n\nOpportunities for the Postal Service in Digital Identity ................................................... 12\n          As a Trusted Third Party Online ......................................................................... 13\n          As an Identity Provider ....................................................................................... 13\n          Verifying Attributes Physically for Digital Identities ............................................. 14\n          Identity Provisioning and Revocation.................................................................. 15\n          Protecting Privacy and Security .......................................................................... 15\n          Evolving Role in Authentication and Digital Identity Services ............................. 16\n          Adoption and New Applications .......................................................................... 16\n          Revenue Opportunities ....................................................................................... 17\n          Implementation Considerations .......................................................................... 17\n\nConclusion .................................................................................................................... 21\n\n\n\n                                                                  iv\n\x0cU.S. Postal Service Office of Inspector General                                                      May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                            RARC-WP-12-011\n\n\n\n\n                                                     Table\n\nTable 1             Examples of Digital Identity Models in Europe..................................... 24\n\n\n                                                   Figures\n\nFigure 1            OpenID and Third Party Verification ...................................................... 7\n\nFigure 2            The Postal Service as a Trusted Third Party ....................................... 13\n\nFigure 3            The Postal Service as an Identity Provider .......................................... 14\n\n\n                                               Appendices\n\nAppendix A          A European Postal Perspective ........................................................... 23\n\nAppendix B          Commonly Used Terms in Digital Identity............................................ 25\n\nAppendix C          Levels of Authentication ...................................................................... 26\n\n\n\n\n                                                         v\n\x0cU.S. Postal Service Office of Inspector General                                                May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                      RARC-WP-12-011\n\n\n\n\n        Digital Identity: Opportunities for the Postal Service\n\n\nIntroduction\n\nHow much certainty do we have about the identity of those we deal with on the Internet?\nShopping online, participating in an online discussion, or filing tax returns all require\ndifferent levels of certainty about the identity of the other parties involved. Many\n\xe2\x80\x9cidentity-centric services\xe2\x80\x9d (services that are heavily dependent on accurate and precise\nidentities) either are not offered or underutilized for two main reasons: (1) the difficulty in\nverifying that a particular Internet user is who she claims she is; and (2) users\xe2\x80\x99 fears of\nidentity theft or other fraud \xe2\x80\x94 whether factual or perceived \xe2\x80\x94 hinder adoption. In short,\ntoday\xe2\x80\x99s approaches to identity on the Internet leave much to be desired. Their limitations\nare holding back potential business applications and may jeopardize users\xe2\x80\x99 privacy.\n\nIn some industries such as banking and mobile phone service, the customer and the\norganization have agreed upon pre-existing measures that can be used to verify that an\n                                  Internet user is legitimate. Examples are personal\n Without solid pre-existing       identification numbers (PINs) and account numbers,\n authentication measures,         which have weaknesses. 6 Without solid pre-existing\n various services are not         digital identification tools and verification measures,\n able to move online safely       various services are not able to move online safely. In\n                                  other cases, too many different entities are involved to\neasily verify an individual\xe2\x80\x99s identity or attributes. Examples of identity-centric tasks that\nare difficult to implement with today\xe2\x80\x99s identity technology include\n\n    \xef\x82\xa7   accessing healthcare information,\n    \xef\x82\xa7   managing legal documents,\n    \xef\x82\xa7   managing government services,\n    \xef\x82\xa7   state and local licensing,\n    \xef\x82\xa7   applying for scholarships,\n    \xef\x82\xa7   applying for loans,\n    \xef\x82\xa7   age-restricted transactions,\n    \xef\x82\xa7   utility account setup,\n    \xef\x82\xa7   opening certain financial accounts, and\n    \xef\x82\xa7   identifying trading partners.\n\nThrough its national addressing system for residences and businesses as well as its\nvast network of retail locations, the U.S. Postal Service has the right data, reach, and\ncustomer relationships to fill an important gap in the digital identity ecosystem, verifying\nthe link between citizens and their digital identities.\n6\n Many users employ PIN numbers that are too short to be secure, passwords that involve common names or\npersonal details, or other passwords that can be easily guessed.\n\n\n                                                         1\n\x0cU.S. Postal Service Office of Inspector General                                                  May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                        RARC-WP-12-011\n\n\nBy enabling people to link their real-world identity to a digital identity, the Postal Service\ncould serve as vital infrastructure for creating new digital services and make identity-\ncentric transactions more convenient and secure. At the same time, the Postal Service\ncould serve to strengthen online privacy for digital identities.\n\nBy building on its long history of connecting the nation and its position as the most-\ntrusted government entity, 7 the Postal Service is in a unique position to protect\ncustomer privacy with clear and binding privacy regulations similar to those\nimplemented for First-Class Mail.\xc2\xae The Postal Service could fill a critical gap in today\xe2\x80\x99s\nidentity ecosystem: digital identity services with strong privacy protections suitable for\nuse with government services, e-commerce offerings, and other identity-centric\napplications not possible with today\xe2\x80\x99s technology.\n\nUse of such services would be entirely voluntary; individuals must be able to determine\nwhen and where to use their digital identities. People have multiple digital identities and\nfew individuals are likely to assign their real-world identity to all of them. It must be\nrecognized that the right of Internet users to remain anonymous for many interactions is\nan important part of what drives digital innovation and change.\n\nCurrently, there are several formal initiatives to explore the use of digital identities by\ngovernment agencies and to encourage an interoperable standard for identity on the\nInternet. If the Postal Service can act swiftly, it is in a position to create and enhance an\nimportant part of the infrastructure for online commerce and eGovernment.\n\n\nBackground\n\nIdentity, Authentication, and Attributes\n\nA digital identity refers to a collection of attributes related to a specific person or\norganization. Most Internet users have several digital identities issued to them as they\nsign up for email addresses, create accounts on websites, or access their office\ncomputers from home. For example, when you register for a new account at an online\nstore, you create a new digital identity. You are asked to choose a password, so that in\nthe future you can prove that you control that identity. This process of verifying that you\ncontrol an identity is called authentication. When users enter their email address and\npassword to access an account on a website, they are authenticating that they control\nthat identity.\n\nThe details of your online identities are called attributes. Similar to a driver\xe2\x80\x99s license,\nrevealing your digital identity to a third party discloses certain personal details. While\nyour driver\xe2\x80\x99s license lists your name, address, age, and details about your physical\nappearance, a digital identity used for eCommerce may include details like your email\n\n7\n U.S. Postal Service, \xe2\x80\x9cStatement from Postmaster General Patrick Donahoe on the Fiscal Year 2013 Budget of the\nU.S. Government,\xe2\x80\x9d February 13, 2012, http://about.usps.com/news/national-releases/2012/pr12_0213FYbudget.pdf,\nand Ponemon Institute, \xe2\x80\x9cU.S. Postal Service Tops Ponemon Institute List of Most Trusted Federal Agencies,\xe2\x80\x9d June\n30, 2010, http://www.ponemon.org/news-2/32.\n\n\n                                                         2\n\x0cU.S. Postal Service Office of Inspector General                                                   May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                         RARC-WP-12-011\n\n\naddress, name, phone number, and shipping address. If you have a digital identity, such\nas an account with an online store, you may be able to place orders faster, find details\nabout your order history, and add items to a wish list, although not every eCommerce\nwebsite implements these features.\n\nA Trust Framework and Its Components\n\nWithin the digital identity field, a trust framework is a certification program that enables\na party who accepts a digital identity credential to trust the identity, security, and privacy\npolicies of the party who issues the credential and vice versa. 8 It ensures that the user\ncan have confidence in all parties in a given identity ecosystem.\n\nThe organization that issues a digital identity is called an identity provider. In the case\nof a driver\xe2\x80\x99s license, the identity provider is the state government. In the case of an\nemail address, the identity provider is the company that hosts your email. The identity\nprovider is not always the only organization to rely on the attributes in that identity. Just\nas there are many organizations that use your state-issued driver\xe2\x80\x99s license to determine\nyour age, residence, or record your identity to deter fraud, other entities can rely on an\nonline identity created by a trusted third party.\n\nOrganizations that rely on an identity issued by another entity are called relying\nparties. Several popular web services, including Facebook, Google, and Twitter,\nencourage people to use identities that these services provide\nfor efficient authentication with other third-party services. Not      Today\xe2\x80\x99s digital\nincidentally, many such web services use these logins to gather        identities are\nbehavioral profiles. For example, you may use your Facebook            generally unfit for\naccount as your identity when participating in an online               use with services\ndiscussion forum. In that case, the online discussion forum is a       that require a\nrelying party, because it is relying on an identity provided by        verified link\n                                                                       between a digital\nFacebook. Unlike a driver\xe2\x80\x99s license, digital identities often allow\n                                                                       identity and a real\nthe owner to control the specific attributes they reveal. For          person\nexample, when using a driver\xe2\x80\x99s license to verify your state of\nresidence, you reveal information that may not be relevant, such\nas your date of birth \xe2\x80\x94 a detail that is unrelated to the question of where you reside.\nThis information may not be needed for a transaction and therefore would not need to\nbe shared. 9\n\nToday\xe2\x80\x99s digital identities tend to be limited to attributes provided by the end-user,\nmaking them generally unfit for use with services that require a verified link between a\ndigital identity and a real person. 10 Additionally, today\xe2\x80\x99s identity services may expose\n\n8\n  Open Identity Exchange, \xe2\x80\x9cWhat is a Trust Framework,\xe2\x80\x9d 2010, http://openidentityexchange.org/what-is-a-trust-\nframework.\n9\n  See Appendix B for a list of commonly used terms.\n10\n   Some users of high security applications are given physical tokens with dynamic codes to strengthen\nauthentication. Tokens are typically used in addition to passwords and PINs. A token must be held in the user\xe2\x80\x99s\npossession to assure security and allow digital access. Tokens are expensive, cumbersome, and often misplaced or\nlost.\n\n\n                                                         3\n\x0cU.S. Postal Service Office of Inspector General                                                     May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                           RARC-WP-12-011\n\n\nsensitive information to the identity providers in ways that the users are unaware of,\nraising questions about the suitability of today\xe2\x80\x99s services for use with financial, health,\nand government services.\n\nThere is potential, however, for a digital identity solution to emerge that enables certain\nsensitive, identity-dependent transactions to take place on the Internet with an\nexpectation of privacy and convenience. By creating a way for web services to\nauthenticate the real-world attributes of digital identities, the Postal Service could\nreduce fraud, increase customers\xe2\x80\x99 privacy, and expand the possibilities for new online\nservices.\n\n\nExisting Digital Authentication Solutions\n\nPasswords\n\nInternet users are familiar with the username and password pattern that is the most\ncommon method of managing Internet identities. When creating an account at a\nwebsite, users are often asked to enter their email address and choose a username and\na password.\n\nPasswords and Fraud\nMany users choose the same password across all of the websites that they visit; their\nentire online identity can be revealed by hacking a single website. For example, in 2011\nhackers made a serious breach into networks operated by Sony, exposing millions of\npasswords that Sony left unencrypted. When comparing the passwords of users who\nhad accounts on both Sony\xe2\x80\x99s services and other popular sites that were hacked,\nresearchers found that most users had reused their password across multiple\naccounts. 11 In this case, users who had one password stolen now had all of their online\naccounts at risk.\n\nPasswords are frequently compromised via a technique called \xe2\x80\x9cphishing,\xe2\x80\x9d in which a\nuser is emailed a link to log-in to a malicious website that is impersonating an official\nweb page. The web page may request that the user enter their username and password\nor other sensitive details. Instead of logging the user into the web service as they\nexpect, the malicious website captures the user\xe2\x80\x99s details for further fraud.\n\nPasswords are also easy for computers to guess. Researchers at Cambridge University\nanalyzed a sample of 70 million passwords with the cooperation of Yahoo!, and found\nthat around 1 percent of accounts had passwords easily guessed by a computer. 12\nMore sophisticated guessing techniques can yield even better results.\n\n\n11\n   Troy Hunt\xe2\x80\x99s Blog, \xe2\x80\x9cA brief Sony password analysis,\xe2\x80\x9d June 6, 2011, http://www.troyhunt.com/2011/06/brief-sony-\npassword-analysis.html.\n12\n   Joseph Bonneau, \xe2\x80\x9cThe Science of Guessing,\xe2\x80\x9d http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-\nanalyzing_70M_anonymized_passwords.pdf.\n\n\n                                                         4\n\x0cU.S. Postal Service Office of Inspector General                                   May 29, 2012\nDigital Identity: Opportunities for the Postal Service                         RARC-WP-12-011\n\n\nDue to the difficulty of motivating users to choose secure passwords, rampant password\nre-use by users, and the relative ease of phishing and hacking to compromise identities,\npassword-only account systems are a weak link in the digital identity ecosystem.\n\n The complexity of          For many less experienced Internet users, the complexity of\n managing fragmented        managing fragmented digital identities means a greater\n digital identities means   exposure to fraud. It is impossible to come up with a\n a greater exposure to      reliable estimate of the impact of fraud on the Internet in the\n fraud                      United States, as scams increasingly traverse different\n                            communications media and borders. Some estimates of\nannual worldwide Internet-related fraud run into tens, or even hundreds, of billions of\ndollars.\n\nPasswords and Identity\nUsername and password schemes can secure individual access to an online account,\nbut they can only ensure that the user has control of an online identity. Passwords, by\nthemselves, do nothing to authenticate that a given user is who or what they say that\nthey are. Another shortcoming of the username and password pattern is that users must\nfind a way to authenticate their identities for each individual service. Each banking\nwebsite, each government agency, and each medical provider may have a different way\nof verifying that an online identity is controlled by a particular person. Fraud during this\nverification process can expose even more of a user\xe2\x80\x99s identity than a phishing scam.\n\nThe difficulty of making these processes easy to use, compounded with the risk of\nfraud, has limited the feasibility of online services that require strict identity control.\nWhile solutions exist to help technically inclined users overcome the burden of\ncontrolling many multiple online identities, as discussed below, these solutions leave\nlarge segments of the population with a greater exposure to fraud and diminish\nopportunities to participate in the digital economy. Further, the fear of lack of privacy in\nitself prevents some users from ever using even basic Internet commerce offerings.\n\nCorporate Single Sign-On Services\n\nIn response to the shortcomings of password authentication, several large Internet\ncompanies have designed identity services that are easier to use. Single sign-on\nservices allow a website owner to accept verification for an identity from a trusted third-\nparty. For example, users can sign in to the National Public Radio (NPR) website using\naccounts from other websites including Facebook, Google, and Twitter. While single\nsign-on services alleviate the need for users to remember many different passwords,\nthese services have their own shortcomings. Some of the companies issuing these\nidentities compile detailed behavioral profiles of their users by tracking user behavior\nacross the Internet. These profiles are used to tailor advertising to that individual based\non their activity across multiple websites. The use of today\xe2\x80\x99s single sign-on services\ncould be suboptimal for web services with an expectation of privacy, including managing\ngovernment services and dealing with sensitive healthcare information.\n\n\n\n\n                                                         5\n\x0cU.S. Postal Service Office of Inspector General                                                 May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                       RARC-WP-12-011\n\n\nAdditionally \xe2\x80\x94 and very importantly \xe2\x80\x94 single sign-on identities do not verify specific\nattributes or that users are who they say that they are. For example, you can create a\nFacebook profile listing residence in a city other than the one where you live or under\nany name that you choose. A single sign-on identity only verifies that a particular\nInternet user controls the data in an account on a website, making today\xe2\x80\x99s single sign-\non identities insufficient for trusted applications or those needing to deal with the\nspecifics of real-world identity.\n\nOpenID\n\nOpenID is a decentralized single sign-on solution, meaning it sets an interoperable\nstandard for organizations to share and issue identities. It was developed in 2005 as a\ncollaborative effort among leaders in the digital identity community. Currently, two\nnonprofits are involved with OpenID: Open Identity Exchange provides certification for\nidentity providers and OpenID Foundation, manages the trademark and promotes the\nOpenID standard. Both groups are supported by leading technology companies. 13\n\nOpenID is a specification for creating identities that can work across multiple websites.\nAny person or organization may create an identity, and web services that support\nOpenID can accept those identities even when the identity was not originally created at\nthat site. Used by many single sign-on services, OpenID can help reduce the number of\ndifferent accounts a user must maintain across the web.\n\nFor example, users with an OpenID are able to log on to the          OpenID is a promising\nNPR website with a process similar to that used for a single         approach to Internet\nsign-on identity issued by a corporation. If the OpenID is           identity because it\nissued by the user themselves or another party that does not         utilizes existing\ntrack users\xe2\x80\x99 activity across multiple websites, then the user        technology\xe2\x80\xa6but\nretains a greater measure of privacy than those using a              cumbersome for the\nsingle sign-on identity issued by a tracking and advertising         average Internet user\nbusiness. This means that OpenID technology may present\nan opportunity for services that are identity-centric or deal with information more\nsensitive than shopping and social networking.\n\nOpenID is a promising approach to Internet identity. OpenID requires no additional\nsoftware other than the standard web browser, and OpenID itself utilizes other open-\nsource specifications for transferring data and authentication. This ease of adoption has\nresulted in 9 million sites using the technology, with over 1 billion identities created\nwithin the ecosystem. 14\n\nThe OpenID specification allows trusted third parties to verify attributes of a specific\nidentity (see Figure 1). For example, the Postal Service could act as a trusted third party\nto verify the street address of a user and authenticate the user\xe2\x80\x99s identity. When\n\n13\n  For example, both groups include board members from Google, Microsoft, PayPal, and Symantec.\n14\n  OpenID, \xe2\x80\x9cOpenID 2009 Year in Review,\xe2\x80\x9d December 16, 2009, http://openid.net/2009/12/16/openid-2009-year-in-\nreview/.\n\n\n                                                         6\n\x0cU.S. Postal Service Office of Inspector General                                                        May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                              RARC-WP-12-011\n\n\nappropriate, the user could choose to reveal some real-world attributes of their identity\nto do business online. Users have a choice of which attributes they would like to reveal,\nperhaps only revealing their state of residence rather than their full street address. The\nmechanisms for sharing attributes of an identity are designed to protect individual user\nprivacy and choice. They also help to protect the universe of users at large.\n                               Figure 1: OpenID and Third Party Verification\n\n\n\n\n                                                 USER\n\n\n\n\n                         RELYING                                          IDENTITY\n                         PARTNER                                          PROVIDER\n\n\n\n\n                1.   User logs into Relying Partner\xe2\x80\x99s website\n                2.   Relying Partner contacts Identity Provider to authenticate the User\n                3.   Identity Provider asks User to authorize using identity with Relying Partner\n                4.   If/When User allows, Identity Provider sends credentials to the Relying\n                     Partner and the User is logged into the website\n\n\n\n\nOpenID remains cumbersome for the average Internet user. The process of creating\nand using an OpenID is unfamiliar to most users. Also, under the current specification\nfor OpenID, creating an OpenID with a third party (instead of issuing one\xe2\x80\x99s own ID) can\nexpose more information to the identity provider about a user\xe2\x80\x99s behavior than an\naverage Internet user may realize.\n\nWhile OpenID remains as vulnerable to phishing as other single sign-on systems, these\nissues are likely to be overcome by improving its design. The OpenID Foundation\ncontinues to update and evolve the specification in response to the experience of web\ndevelopers and feedback from the information security community.\n\n\nPilot Projects for a Digital Identity Ecosystem\nGovernment agencies, other posts and the private sector are responding to the\nshortfalls of today\xe2\x80\x99s identity capabilities by forming organizations to develop and\nadvance interoperable standards for digital identity.\n\n\n\n                                                         7\n\x0cU.S. Postal Service Office of Inspector General                                                        May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                              RARC-WP-12-011\n\n\nThe National Strategy for Trusted Identities in Cyberspace Initiative\n\nIn May 2012, the Federal Government\xe2\x80\x99s Chief Information Officer unveiled a new Digital\nStrategy emphasizing that government \xe2\x80\x9cmust ensure confidentiality, integrity, and\navailability by building security into digital government services.\xe2\x80\x9d 15 Prior to this,\nrecognizing the need to establish a framework for trusted identities online, the White\nHouse has issued an administrative mandate to establish an \xe2\x80\x9cidentity ecosystem\xe2\x80\x9d that\ngives both organizations and Internet users a greater degree of confidence in the\nidentities of those they do business with online. In a proposal released in February of\n2012, the National Strategy for Trusted Identities in Cyberspace (NSTIC) created\nfederal support for a steering committee in a private sector-led effort to develop an\nidentity ecosystem, involving stakeholders from industry, federal and local government,\nand privacy, civil liberties, and consumer advocacy organizations. 16\n\nNSTIC has committed funding and other support to establish the steering committee\nand undertake pilot projects to explore digital identity models; it envisions\nimplementation of a functioning identity ecosystem by 2016. 17 NSTIC aims to create a\nnorm in digital identity management whereby institutions and users are able to conduct\nidentity-related business online in a voluntary fashion, thus giving individuals control\nover what private information is disclosed. NSTIC encourages interoperability and\ngovernment adoption of the resulting digital identity platform. In discussing and defining\npotential authentication solutions, NSTIC and other organizations use the definition of\nfour levels of authentication assurance provided by the National Institute of Standards\nand Technology (NIST); levels 1 and 2 are the most commonly employed. 18\n\nOpen Identity Exchange\n\nDistinct from the OpenID Foundation, which manages the specification to implement\nOpenID, the Open Identity Exchange is a certification listing service for open trust\nframeworks. The Open Identity Exchange has developed a certification for identity\nproviders in conjunction with the General Services Administration (GSA). Certified\nidentity providers as of March of 2012 include Google, PayPal, Verisign, and Equifax. A\npilot program enables the National Institutes of Health (NIH) to accept OpenID\ncredentials from certified private-sector identity providers. 19\n\n\n15                                   st\n   Digital Government: Building a 21 Century Platform to Better Serve the American People, Office of Management\nand Budget, http://www.whitehouse.gov/sites/default/files/omb/egov/digital-government/digital-government.html.\n16\n   National Institute of Standards and Technology, \xe2\x80\x9cAdministration Releases Strategy to Protect Online Consumers\nand Support Innovation and Fact Sheet on National Strategy for Trusted Identities in Cyberspace,\xe2\x80\x9d April, 15, 2011,\nhttp://www.nist.gov/public_affairs/releases/whitehouse_nstic.cfm.\n17\n   John Fontana, \xe2\x80\x9cNSTIC doc outlines transition to privately led ID effort,\xe2\x80\x9d ZDNet Identity Matters, February 8, 2012,\nhttp://www.zdnet.com/blog/identity/nstic-doc-outlines-transition-to-privately-led-id-effort/224?tag=search-results-\nrivers;item0.\n18\n   For definitions of the four levels of authentication assurance, see Appendix C.\n19\n   Open Identity, \xe2\x80\x9cOpen Identity Exchange Commences Open Government Pilot with National Institutes of Health,\xe2\x80\x9d\nMarch 3, 2010, http://openidentityexchange.org/press-releases/nih-announces-oix-pilots-2010-03-03, and National\nInstitutes of Health, \xe2\x80\x9cOpen Identity for Open Government at NIH,\xe2\x80\x9d\nhttp://datacenter.cit.nih.gov/interface/interface245/open_gov.html.\n\n\n                                                           8\n\x0cU.S. Postal Service Office of Inspector General                                                        May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                              RARC-WP-12-011\n\n\nInternational Posts and Secure Identity Across Borders Linked\n\nIn a recent survey of postal operators conducted by the Universal Postal Union, more\nthan a third of the 15 industrialized country respondents stated that they currently\nprovide digital identity services. Other postal operators, particularly in Europe and the\nArab region, continue to expand such offerings. 20\n\nAccording to 2011 research from The Information Technology & Innovation Foundation,\n16 European countries provide a digital identity for its citizens. 21 In Europe, the Secure\nIdentity Across Borders Linked (STORK) project aims to create reciprocal recognition of\ndigital identities provided by European nations. The project is made up of partner\nentities from the public and private domains. It is funded in part by the European\nCommission and encompasses several pilot projects currently in progress across the\ncontinent, including international change-of-address services.\n\nSTORK creates a template for a platform to share identity data, while allowing the end\nuser to maintain control over what data is sent to what website. As the European Union\nstrives to strengthen consumer privacy protections, STORK\xe2\x80\x99s platform aims to protect\nprivacy by transferring only the minimum data needed to create a transaction and\nallowing individuals to completely delete all of their information from the system if they\nchoose. 22\n\n\nFeatures of the Digital Identity Ecosystem\nToday\xe2\x80\x99s framework for digital identity addresses several problems successfully: the\nneed to verify the identity of websites themselves for transmitting secure information,\nthe existence of an open platform, and ever-improving tools to help users manage\nmultiple identities.\n\nSeveral unaddressed needs remain; these gaps represent an opportunity for new\nidentity services. Solving these issues will expand the possibilities for digital services to\nuse identity information efficiently, saving costs, reducing fraud, and adding\nconvenience for individuals and organizations.\n\nVerification of Real-World Attributes\n\nIn order to support an expectation of privacy and a need for strong identity, government\nagencies, businesses, and citizens will require a way to authenticate the real-world\nidentity of an Internet user by verifying user attributes. Current verification procedures\nare fragmented across organizations, creating inefficiencies and adding barriers to\n20\n   The UPU is also currently in the early stages of developing a postal identity standard. See Appendix A for an\noverview of digital identity models used for the provision of eMailbox-type services.\n21\n   The Information Technology & Innovation Foundation, Explaining International IT Application Leadership:\nElectronic Identification Systems, September 15, 2011, http://itif.org/publications/explaining-international-it-\napplication-leadership-electronic-identification-systems.\n22\n   STORK (Secure Identity across Borders Linked), \xe2\x80\x9cFAQs,\xe2\x80\x9d\nwww.eid-stork.eu/index.php?option=com_content&task=view&id=55&Itemid=76#stork_faq_5.\n\n\n                                                          9\n\x0cU.S. Postal Service Office of Inspector General                                    May 29, 2012\nDigital Identity: Opportunities for the Postal Service                          RARC-WP-12-011\n\n\nproviding online services. For example, users may be required to have separate online\nidentities and accounts to manage the distribution of government benefits and to\nsecurely access their healthcare information online. Each organization the user\ncommunicates with adds another layer of complexity and another process for\nverification.\n\n                                    There are potential macroeconomic diseconomies\nThe standards for addressing\nin the physical world have          without a reliable national digital identification and\nacted as a catalyst for             address system online, even one that is optional for\ncommunications and                  consumers. In the physical world, standards for\ncommerce. Similar                   addressing have acted as a catalyst for\ninfrastructures should exist        communications and commerce by making it simple for\nin the digital world                businesses and individuals to locate and deliver\n                                    information and goods to customers around much of\nthe world. Similar infrastructures should exist in the digital world as activities shift online.\nSimplifying the process of verifying a user\xe2\x80\x99s real-world identity online would expand the\npossibilities for bringing government services into the digital world. By providing the user\nwith a digital identity that can be used for these kinds of services, agencies could more\neasily offer their services online, and users could utilize those services effortlessly.\n\nIf citizens were able to use their verified identities for transactions outside of\ngovernment services, several positive trends might emerge. First, the more widely\nusable an identity is, the less friction there is to widespread adoption. Secondly, the use\nof verified real-world attributes is not a problem unique to government. Businesses\ncould build on the new opportunities created by a secure identity infrastructure, bringing\nnew services to market and strengthening existing ones. As digital identity security\nincreases, the cost of fraud to businesses will decline.\n\nWhile there are pilot programs in progress to certify commercial single sign-on services\nfor government use, for-profit single sign-on services would be inappropriate for many\napplications where there is an expectation of privacy. Current\npilot programs do not yet define a solution for identity verification Users can only\n                                                                      make choices about\nthat operates at Internet scale. The programs explore use of\n                                                                      privacy when their\nsingle sign-on services with government services, but in a            options are clearly\nlimited environment where the identity of the user may be             presented\nprescribed outside of the single sign-on service.\n\nTransparent Privacy Policies\n\nUsers can only make choices about privacy when their options are clearly presented.\nMost websites today feature a privacy policy, typically reached via a link at the bottom of\na web page. Users are often asked to agree to a website\xe2\x80\x99s privacy policy before\ncreating their account. Yet this is unrealistic in practice, as typical privacy policies are\noften long and complex. Researchers from Carnegie Mellon recently suggested that it\n\n\n\n\n                                                         10\n\x0cU.S. Postal Service Office of Inspector General                                                     May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                           RARC-WP-12-011\n\n\nwould take the average Internet user 76 workdays to read all of the privacy policies that\nthey encounter in a year. 23\n\nEven if consumers reviewed the privacy policies they encounter, the Internet\xe2\x80\x99s premier\nidentity providers lack a precedence of strong privacy protection. In 2011, Facebook\nsettled with the Federal Trade Commission over changes to their privacy policy that\nshared users\xe2\x80\x99 information and bypassed their privacy preferences. 24 And in March of\n2012, the Federal Trade Commission began examining whether Google has\nmisrepresented its privacy practices to consumers. 25 Google has acknowledged that it\nintentionally bypasses the privacy settings in the Safari web browser in order to track\nusers across the web. 26\n\nIn cases where users are accessing sensitive services online or revealing real-world\naspects of their identity, the implications of privacy choices must be made clear to users\nand must be respected. Without a framework of trust and transparency between digital\nidentity providers and the users they service, today\xe2\x80\x99s digital identity management\ncapabilities are inappropriate for use where there is a strong expectation of privacy.\n\nNeutrality\n\nMarket forces can create additional conflicts for uses of these identities, including an\nincentive for anticompetitive practices. The Internet is a neutral infrastructure; one that\ndoes not select the winners or losers in the marketplace. By forcing users to choose\nbetween for-profit identities in order to digitally engage with their government services,\nusers could be left with no options that protect their privacy. A neutral provider of\nidentity infrastructure would allow greater marketplace innovation and diminish the\nincentive of identity providers to limit the interoperability of their identities.\n\n                       As an example of these politics at play in the current marketplace,\nToday\xe2\x80\x99s economic       consider the criticism that today\xe2\x80\x99s large-scale identity providers\nincentives for         rarely accept identities authenticated by other providers. For\nidentity providers\n                       example, you cannot log into Google\xe2\x80\x99s services using an identity\nstem from their\nability to track       other than one issued by Google, but Google encourages you to\nusers                  use your Google identity with other providers. Because today\xe2\x80\x99s\n                       economic incentives for identity providers stem from their ability to\ntrack users, it does them little benefit to utilize identities provided by other organizations.\nPlacing those same limitations on one\xe2\x80\x99s ability to access financial, government, or\nhealth services would force the user to maintain a number of digital identities, which\nwould be detrimental to the user and promote inefficiencies.\n\n23\n   Aleecia M. Mcdonald and Lorri Faith Cranor, \xe2\x80\x9cThe Cost of Reading Privacy Policies,\xe2\x80\x9d ACM Transactions on\nComputer-Human Interactions, 0380 No. 3, http://www.mendeley.com/research/the-cost-of-reading-privacy-policies/#.\n24\n   Byron Acohido, \xe2\x80\x9cFacebook settles with FTC over deception charges,\xe2\x80\x9d USA Today, November 29, 2011,\nhttp://www.usatoday.com/tech/news/story/2011-11-29/facebook-settles-with-ftc/51467448/1.\n25\n   Julia Angwin, \xe2\x80\x9cGoogle Faces New Privacy Probes,\xe2\x80\x9d Wall Street Journal, March 16, 2012,\nhttp://online.wsj.com/article/SB10001424052702304692804577283821586827892.html.\n26\n   Jon Brodkin, \xe2\x80\x9cUS, Europe investigate Google\xe2\x80\x99s bypass of Safari privacy settings,\xe2\x80\x9d Ars Technica, March 16, 2012,\nhttp://arstechnica.com/tech-policy/news/2012/03/us-europe-investigate-googles-bypass-of-safari-privacy-settings.ars.\n\n\n                                                         11\n\x0cU.S. Postal Service Office of Inspector General                                   May 29, 2012\nDigital Identity: Opportunities for the Postal Service                         RARC-WP-12-011\n\n\nPersonal Choice\n\nIf users find it more convenient to use an identity issued by a for-profit identity provider,\nand accept the possibility that sensitive information is likely to be tracked in data\ncompiled by the identity provider, then those users should be able to utilize any identity\nservice that they choose. It must remain up to the user to decide what organizations to\ntrust with their information.\n\nIdeally, Internet users will have many options available to them. More possibilities for\nonline services would be created in an ecosystem where the users are able to choose\nto employ multiple identities or remain anonymous, as they see fit. Perhaps many users\nwill choose one single identity, provided and verified by an entity that they trust. Some\nusers may use multiple identities: one for sensitive applications and another where\nconvenience is the primary concern.\n\nToday\xe2\x80\x99s advanced Internet users are able to partition their online identities in ways that\nadd an element of privacy protection. Other users are completely comfortable disclosing\ntheir online activities in exchange for valuable services. And some users choose only to\nparticipate in the online world anonymously. All of these options should be preserved in\nthe online identity ecosystem, even as more are presented that bolster the users\xe2\x80\x99\nprivacy options.\n\n\nOpportunities for the Postal Service in Digital Identity\nThe Postal Service has a long history of bringing together citizens, government, and\ncommerce. How people connect has changed significantly. The expanding digital\neconomy presents a challenge to bring these values to new environments. It also\npresents a starting point for the development of new digital products and revenue\nstreams.\n\nIn entering the world of identity provisioning, the Postal Service will have to determine\nthe optimal level of authentication needed. While in-person application provides the\nhighest level of security, it also makes sign-up more difficult and expensive. There is an\ninherent trade-off between the rigor of the authentication and customer convenience\nthat affects the rate of adoption. It may be best to adopt a multi-level authentication\nprotocol, allowing higher-level transactions only with a similar level of authentication,\nwhile maintaining minimum levels of authentication for simpler transactions.\n\nBy taking the role of a trusted entity to verify attributes of identity, the Postal Service can\nuse key parts of its existing infrastructure 27 to create a valuable service. The service\nwould provide a strong link between real-world identities and digital identities, backed by\nclear and strong privacy procedures, thus enabling government and businesses to\nbetter meet the growing expectation for digitally accessible transactions. It would add\ncapabilities to the digital identity ecosystem at a time when these features are needed.\n\n27\n     This includes its current website, usps.com, and customer databases.\n\n\n                                                          12\n\x0cU.S. Postal Service Office of Inspector General                                                      May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                            RARC-WP-12-011\n\n\nAs a Trusted Third Party Online\n\nThe Postal Service could serve as a trusted third party for verifying an individual\xe2\x80\x99s\nlocation of residence with the individual\xe2\x80\x99s permission. When using a verified identity\nonline, customers could choose what to reveal about their real-world identity in a given\ntransaction, with specificity ranging from street address to region, state, county, city, or\nZIP code. Through the U.S. National Change of Address (NCOA) system the Postal\nService could verify the past addresses of individuals and businesses. 28\n                          Figure 2: The Postal Service as a Trusted Third Party\n\n\n\n\n                                                                                 IDENTITY\n                  USER                                                           PROVIDER\n\n\n\n\n                   1. User requests a digital identity from Identity Provider\n                   2. Identity Provider creates a verification request with the Postal Service\n                   3. The Postal Service verifies the identity of the User either in-person or using\n                      change of address data\n                   4. As a Trusted Third Party, the Postal Service provides verification of the\n                      User\xe2\x80\x99s physical identity for the Identity Provider\n\n\n\n\nUtilizing OpenID\xe2\x80\x99s protocols for attribute exchange, the Postal Service could verify these\nattributes for organizations that act as digital identity providers. After successful\nverification, identity providers would allow customers to reveal the attributes to relying\nparties.\n\nAs an Identity Provider\n\nIn addition to verifying attributes of identities issued by other organizations, the Postal\nService could act as an identity provider itself. The Postal Service could directly verify\nattributes of individuals and organizations online. Digital identities issued by the Postal\nService could operate according to the OpenID standard and work within the existing\nidentity ecosystem. Customers could use their identities for all of their online\ntransactions, or use their identity only for transactions that handle sensitive information.\n\n28\n  Currently, data in the NCOA system is stored for four years. For more information on the NCOA, see U.S. Postal\nService Office of Inspector General, eMailbox and eLockbox: Opportunities for the Postal Service, Report No.\nRARC-WP-12-003, November 14, 2011, http://www.uspsoig.gov/foia_files/RARC-WP-12-003.pdf.\n\n\n                                                         13\n\x0cU.S. Postal Service Office of Inspector General                                                 May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                       RARC-WP-12-011\n\n\nAt the request of a customer, the Postal Service could share the customer\xe2\x80\x99s verified\nlocation and identity details with relying parties, such as retailers or service providers.\n\nThe digital identity could also traverse back into the physical world as an identifier for a\nnumber of different access tools. For example, it could serve as the core identifier on a\npostal-centric smart card that would not only provide access to postal services, but\nprovide digital authentication and serve as a platform for other government and\ncommercial entities to offer additional services. 29\n                          Figure 3: The Postal Service as an Identity Provider\n\n\n\n\n                                               USER\n\n\n\n\n                    RELYING\n                    PARTNER\n\n\n\n\n           1.   User logs into Relying Partner\xe2\x80\x99s website\n           2.   Relying Partner contacts the Postal Service to authenticate the User\n           3.   The Postal Service asks User to authorize using identity with Relying Partner\n           4.   If/When User allows, the Postal Service sends credentials to the Relying\n                Partner and the User is logged into the website\n\n\n\nVerifying Attributes Physically for Digital Identities\n\nThe Postal Service can verify the mailing address of individuals or organizations several\nways. With a nationwide network of locations and postal carriers reaching every door,\nthe Postal Service could provide in-person verification or verification-by-mail services.\nThe Postal Service already provides such services for the processing of passports,\nhaving collected 5.6 million passport applications in 2011 alone. 30 With permission from\nan individual, the Postal Service could verify a specific individual\xe2\x80\x99s control over an online\n\n29\n   U.S. Postal Service Office of Inspector General, The USPS Global Card: A Conceptual Analysis of a Smart Card\nPlatform, Report No. RARC-WP-12-006, February 13, 2012, http://www.uspsoig.gov/foia_files/RARC-WP-12-006.pdf.\n30\n   U.S. Postal Service, \xe2\x80\x9cPostal Facts,\xe2\x80\x9d http://about.usps.com/who-we-are/postal-facts/welcome.htm.\n\n\n\n                                                         14\n\x0cU.S. Postal Service Office of Inspector General                                                   May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                         RARC-WP-12-011\n\n\nidentity by matching an address and incoming mail, and checking physical identification.\nThe NCOA system, in addition to helping people receive their mail at new locations,\ncould provide accurate and up-to-date verification of an address. 31\n\nMany existing processes for verifying addresses utilize the Postal Service. For example,\nsome businesses will mail a postcard with a unique code to an address they are\nattempting to verify. The resident will enter the unique code onto a website to prove they\nreside at that address. While repeating this process for multiple services is not optimal,\nthis use of the postal system demonstrates businesses\xe2\x80\x99 reliance on current postal\nservices.\n\nIdentity Provisioning and Revocation\n\nThe Postal Service\xe2\x80\x99s existing \xe2\x80\x9cbrick and mortar\xe2\x80\x9d locations are a major advantage for\nidentity services. In order to provide a new digital identity for a customer, physical\nverification of their mailing address would be required. 32 By offering these services in-\nperson at a retail location or with verification by their letter carrier, customers could work\nwith an organization they trust to keep their information updated and secure. The Postal\nService reaches every residence and business in the United States.\n\nOne responsibility of an identity provider is revoking compromised identities. If\ncustomers lose control of their identities, they must notify identity providers to prevent\nunauthorized use of the identity online. Even the revocation process can be a target for\nfraud online.\n\nProtecting Privacy and Security\n\nBacked by the Privacy Act of 1974 and the legal protection of First-Class Mail, the\nPostal Service has a long-established history of clear, direct, and effective privacy\npractices with legal standing. This history means that the Postal Service is in a unique\nposition to provide identity services built on a foundation of privacy and trust, an aspect\nof digital identity left unaddressed by today\xe2\x80\x99s identity\n                                                              The Postal Service is in a\nproviders. Verification of identity attributes and identity   unique position to\nservices can be delivered in a way that protects the          provide identity services\nindividual\xe2\x80\x99s privacy. Being bound by mail privacy laws,       and to fight against fraud\nthe Postal Service could fill critical gaps in the identity\necosystem and provide a clear, concise privacy statement that prevents the Postal\nService from sharing any information with any parties other than those customers\nchoose.\n\nThe Postal Service also has unique strengths in the fight against fraud. The Postal\nService offers protection under federal law through two law enforcement organizations:\nthe Office of Inspector General and the Postal Inspection Service. These law\n\n31\n   U.S. Postal Service Office of Inspector General, The USPS Global Card: A Conceptual Analysis of a Smart Card\nPlatform, http://www.uspsoig.gov/foia_files/RARC-WP-12-006.pdf.\n32\n   The Postal Service already verifies addresses for mailers through a number of address hygiene services.\n\n\n                                                         15\n\x0cU.S. Postal Service Office of Inspector General                                May 29, 2012\nDigital Identity: Opportunities for the Postal Service                      RARC-WP-12-011\n\n\nenforcement organizations currently investigate crimes that include using a false identity\nand fraud. The reach and experience of these two organizations serve as a valuable\ntool for the enforcement of customers\xe2\x80\x99 privacy and security \xe2\x80\x94 a tool that could readily\nbe adapted to fulfill a wider role in the digital sphere.\n\nEvolving Role in Authentication and Digital Identity Services\n\nThe Postal Service has experience both in providing physical authentication services for\nfederal agencies such as the Department of State\xe2\x80\x99s Office of Passport Services and in\nproviding such services for its own products, ranging from Change of Address requests\nto registration for the new gopost\xe2\x84\xa2 parcel lockers. In the digital world, the Postal\nService has also amassed experience in providing secure online storage of personal\ninformation, including the encryption used to manage the AMS and NCOA databases as\nwell as the administration of the Click-N-Ship\xc2\xae postage program.\n\nThis experience, along with a reputation for trust, brings the organization the necessary\ncredibility to engage in this arena. As the framework for an online identity ecosystem\nevolves, the Postal Service has begun to engage with key players from government and\nindustry. Whether as an active participant with industry and government representatives\ndeveloping the NSTIC framework, as a potential partner to participants in the NSTIC\nand OpenID pilot programs, or working with federal government agencies to develop a\nsingle sign-on across the .gov domain, the Postal Service has been and must continue\nto be engaged as an identity framework rolls out over the coming years.\n\nThe need for a Postal Service role in federal online identity management is significant.\nIn this era of limited resources, federal agencies are reducing their physical footprints\nand seeking ways to reduce costs. Simultaneously, the same agencies are seeking to\nreach Americans through innovative eGovernment programs requiring identity and\nattribute authentication. Whether vetting identification for the Department of Agriculture\nor verifying physicians in the roll-out of the Center for Medicare and Medicaid Services\xe2\x80\x99\nePrescribe Program, such programs provide an obvious role for the Postal Service.\n\nAdoption and New Applications\n\nIf the Postal Service were able to provide Internet users with the ability to share\ninformation about their real-world identity through their physical identity, innovators\nwould set to work finding profitable applications for this information. Each expansion of\ncapability available to entrepreneurs is followed by a wave of start-up businesses\nexploring new potential concepts. For example, when a user\xe2\x80\x99s current physical location\nbecame available to websites through smartphones, new businesses emerged to utilize\nthat data. Participants in the digital economy ultimately decide the fate of these new\nventures.\n\nOne possible application using the Postal Service\xe2\x80\x99s authentication services is Peer-to-\nPeer Escrow. As background, the Internet has enabled an expansion of peer-to-peer\ncommerce. Websites such as eBay and Craigslist make it easy for individuals to\nconnect with people in their community or even internationally for the purpose of trade;\n\n\n                                                         16\n\x0cU.S. Postal Service Office of Inspector General                                                  May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                        RARC-WP-12-011\n\n\nbartering; or selling used goods, crafts, and services. This expanded economy has\nprovided new ways for criminals to defraud citizens in possibly receiving counterfeit\ngoods, or on the other side, in possibly receiving counterfeit payment.\n\nIf both the buyer and the seller were able to register their identities digitally with a\nservice that facilitated payment for the transaction (or \xe2\x80\x9cescrow service\xe2\x80\x9d), they would be\nable to lower their fraud risk. By using their digital identities, authenticated by the Postal\nService, the buyer and the seller could reveal their information only to the trusted third\nparty. This would deter fraud, better enable law enforcement to address a growing\nproblem, and provide a legitimate sense of security and privacy to the buyer and the\nseller.\n\nThis hybrid of digital identity verification and escrow is a theoretical service that\nillustrates the potential for the use of authenticated digital identities in the Internet\neconomy. By creating digital identities that interoperate with the open standards on the\nweb, the Postal Service could enable new businesses to emerge, as well as help\nexisting organizations to be more secure, efficient, and convenient for their customers.\n\nRevenue Opportunities\n\nDigital identity services provide several revenue opportunities for the Postal Service. For\nexample, when working as a trusted third party to verify limited attributes of existing\nidentities, the Postal Service could charge either a value-based per-use fee or an\nannual access fee to the identity providers for which the Postal Service verifies\nattributes.\n\nFor services with a high expectation of privacy, identities issued by the Postal Service\nmay be ideal. When functioning as an identity provider, the Postal Service could charge\norganizations that rely on Postal Service-verified attributes to complete commercial\ntransactions.\n\nAutomated billing of per-use fees is a common revenue model for open Internet\nplatforms. For example, Google Maps allows businesses to utilize its data for\ncommercial purposes. The first 25,000 requests in a day are free. After that, businesses\npay $4 for each additional 1,000 requests. A more liberal license is available for large-\nscale users, which includes technical support and availability agreements, starting at\n$10,000 annually. 33\n\nImplementation Considerations\n\nIntegration with Existing Identity Ecosystem\nThe existing identity ecosystem is large. Billions of these identities exist on the Internet\ntoday, and they are a critical part of the digital economy. To fill the gaps in service\n\n\n33\n  \xe2\x80\x9cGoogle puts a limit on Free Google Maps API: over 25,000 daily and you pay,\xe2\x80\x9d The Guardian, Technology Blog,\nOctober 27, 2011, http://www.guardian.co.uk/technology/blog/2011/oct/27/google-maps-api-charging.\n\n\n                                                         17\n\x0cU.S. Postal Service Office of Inspector General                                        May 29, 2012\nDigital Identity: Opportunities for the Postal Service                              RARC-WP-12-011\n\n\noutlined in this paper, the Postal Service should implement its identity services in a way\nthat interoperates with the existing identity ecosystem.\n\n                                         Although still under development, OpenID\nOver time, OpenID may                    demonstrates the power of an open platform and the\ndevelop into a platform on               ability for the specification to evolve and meet new\nwhich to build a strong,\n                                         challenges. Over time, security will increase, usability\nidentity service with a focus\non user privacy\n                                         will improve, and OpenID may develop into a platform\n                                         on which to build a strong, privacy-centric identity\n                                         service.\n\nThe NSTIC and Open Identity Exchange initiatives both aim to increase the adoption of\nthis technology within government. By working with these organizations, the Postal\nService could develop a revenue stream in providing identity services to other\ngovernment agencies, the healthcare industry, and other entities with which individuals\nshare their identity profile.\n\nUser-centric Privacy\nThe potential for abuse of privacy is a valid concern for any identity service. Although\nthe Postal Service has a longstanding tradition of keeping individual information private,\nsome of its revenue models based in the physical world will not translate to the digital.\nA strong commitment to privacy can be displayed if the default settings of the service\nare to maintain the strict confidentiality of customers\xe2\x80\x99 information. Adoption will be stifled\nif users believe that keeping their information current will result in increased amounts of\nunwanted physical or digital communication from advertisers.\n\nAny information-sharing should only be under circumstances where users opt in and\nhave granular controls over what attributes are shared and with whom. If serving as an\nidentity provider, the Postal Service should not store any information about the specific\nwebsites a customer authenticates with. In order to keep user privacy paramount, no\nbehavioral information should be logged or stored.\n\nA Building Block for Web Services\nBeginning in 2011, The U.S. Postal Service Office of Inspector General (OIG) Risk\nAnalysis Research Center (RARC) began publishing a series of white papers that\nexplore a positioning for the Postal Service in the digital economy. For each opportunity\ndefined in the series, including eMailbox and eLockbox services, digital identity services\nmay be part of the foundation.\n\nWhile building an interoperable identity service is a much larger undertaking than\ncreating a username and password authentication system, it may be a requirement of\nmoving the Postal Service further into the digital age. The Postal Service currently offers\naccounts online for both individuals and mailing organizations. Improving the\ninteroperability of accounts within existing Postal Service products could be a logical\nfirst step towards building an expanded identification service.\n\n\n\n\n                                                         18\n\x0cU.S. Postal Service Office of Inspector General                                    May 29, 2012\nDigital Identity: Opportunities for the Postal Service                          RARC-WP-12-011\n\n\nA Platform for New Applications\nPart of the potential for the Postal Service in offering digital identity services is the\norganization\xe2\x80\x99s ability to create a platform in addition to a simple digital identity service\noffering. While customers can utilize a service for a specific use, a platform would\nenable new products and services to be created, enabled by the core technology of\nverifying real-world attributes of digital identities.\n\nTechnology \xe2\x80\x94 Cost and Internal Capabilities\nEstablishing an interoperable identity service is not a one-time investment. In addition to\ncustomer service, verification services, and revocation and security responsibilities, the\ntechnology that serves as a foundation to digital identity will continue to improve.\nServices built on this technology will adapt as well.\n\nToday\xe2\x80\x99s open identity ecosystem, largely driven by OpenID technology, is an evolving\nstandard. The OpenID Foundation improves the specification on a regular basis,\nresponding to the challenges presented by real-world\nimplementation. This process of adaptation is an open         Partnering with\none. If the Postal Service becomes a stakeholder with a       outside organizations\nlong-term investment in this technology, participating in the could provide a\ncreation of new versions of the OpenID standard is an         shortcut \xe2\x80\xa6but is\nimportant step in strengthening the digital identity          unlikely to provide\necosystem.                                                    privacy benefits\n\nHow the Postal Service could best develop this technology and participate in its\nevolution is open to further exploration. Partnering with outside organizations could\nprovide a shortcut to development, but the rebranding of existing identity technology in\nitself is highly unlikely to provide the privacy benefits required to make a strong impact\nin today\xe2\x80\x99s market.\n\nLiability\nA digital identity solution used to manage valuable information is a target for fraud.\nCriminals attempt to access information that can be used for identity theft by taking\ncontrol of a user\xe2\x80\x99s online identity, either through exploiting security deficiencies or\ntricking users into giving away control.\n\nNew identity services should be supplemented with a legal review of the liability created\nby providing these services. If a customer\xe2\x80\x99s information is compromised and a\nfraudulent transaction completed, what protections are in place for the customer, the\nrelying party, a trusted third party, and the identity provider? New protections or\nlimitations for the use of identity services may be necessary as conditions of using\nidentities provided or verified by this system.\n\nCurrently, no comprehensive federal law or regulation covers the security of sensitive\npersonal information by the federal sector or related liability in the event of breach or\nfraud. Instead, a web of federal laws, regulations, and guidance apply, reflecting a\n\n\n\n                                                         19\n\x0cU.S. Postal Service Office of Inspector General                                                      May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                            RARC-WP-12-011\n\n\n\xe2\x80\x9csectoral approach\xe2\x80\x9d to the protection of personal information. 34 Major legislation passed\nby Congress in areas such as financial services, health care, and the Internet, has\ncreated a framework with multiple organizations maintaining enforcement authority,\nranging from the Veterans Administration to the Federal Trade Commission to the new\nConsumer Financial Protection Bureau. This web of statutes presents a challenge, but\nshould not prohibit or discourage the Postal Service from further engagement.\n\nAs the Postal Service considers partnering with federal and even state and local\ngovernment agencies, it must evaluate and develop sensible liability provisions that\nspread responsibility among accountable parties and minimize risk. As a self-insured\nentity, the Postal Service has elected to pay for losses itself rather than purchasing\ninsurance in the private market. This policy should be reviewed, together with an\nexamination of examining new digital identity and attribute authentication services and\nhow risks could be shared with other agencies.\n\nRegulatory Issues\n\nBefore even planning digital services, the Postal Service should consider whether the\nproduct would be allowed under current postal regulations. By law, the Postal Service is\nrestricted to offering \xe2\x80\x9cpostal services\xe2\x80\x9d or specifically grandfathered \xe2\x80\x9cnonpostal services.\xe2\x80\x9d\nCurrent law, however, grants significant leeway to the Postal Service in providing\nservices to other parts of the federal government.\n\nIn 2011, the Office of Inspector General engaged a leading regulatory expert to conduct\nan extensive analysis of the current regulatory\nenvironment. She concluded that current regulations,        The Postal Service is on the\nparticularly in the provision of eGovernment services, do   brink of missing a critical\nprovide a legal path for the Postal Service to offer a      opportunity to find its own\n                                                            role in the digital economy\nnumber of digital services. Many new products that\n                                                            and shape the future of\nbridge the gap between the physical and digital worlds,     identity on the Internet\nsuch as those in this paper, may be characterized as\ncomplements or digital versions of existing postal\nproducts. 35\n\nFurther, one could argue that offering digital identity services not only helps to bridge\nthe gap between the physical and digital worlds, but also plays a vital supporting role in\nin continuing to bind the nation together. As the digital revolution continues to rage,\nproviding such services across the nation reflects a modern interpretation of the Postal\nService\xe2\x80\x99s Universal Service Obligation in providing a secure and trusted channel for\ncommunications and commerce.\n\n\n\n34\n   U.S. Congressional Research Service, Federal Information Security and Data Breach Notification Gina\nStevens,January 28, 2010, http://www.fas.org/sgp/crs/secrecy/RL34120.pdf, p. 1.\n35\n   U.S. Postal Service Office of Inspector General, Bridging the Digital Divide: Overcoming Regulatory and\nOrganizational Challenges, Report No. RARC-WP-12-004, November 22, 2011,\nhttp://www.uspsoig.gov/foia_files/RARC-WP-12-004.pdf.\n\n\n                                                         20\n\x0cU.S. Postal Service Office of Inspector General                                  May 29, 2012\nDigital Identity: Opportunities for the Postal Service                        RARC-WP-12-011\n\n\nConclusion\nWith pilot programs already in place through NSTIC and OIX, the Postal Service is on\nthe brink of missing a critical opportunity to find its role in the digital economy and shape\nthe future of identity on the Internet. While technology leaders in both the public and\nprivate sectors have yet to develop and agree on common standards and protocols,\nthey are progressing and could begin testing even an imperfect prototype. The Postal\nService needs to take an active role in order to keep pace with an evolving industry, an\nindustry that will dramatically expand once more rigorous identity authentication is\navailable for highly sensitive offerings. Any potential offering from the Postal Service\nshould include appropriate and enforceable privacy safeguards to allow the further\ngrowth of both eCommerce and new communications applications and enhancements.\n\n\n\n\n                                                         21\n\x0cU.S. Postal Service Office of Inspector General                  May 29, 2012\nDigital Identity: Opportunities for the Postal Service        RARC-WP-12-011\n\n\n\n\n                                             Appendices\n\n\n\n\n                                                         22\n\x0cU.S. Postal Service Office of Inspector General                                 May 29, 2012\nDigital Identity: Opportunities for the Postal Service                       RARC-WP-12-011\n\n\n\n\nAppendix A                A European Postal Perspective\n\nKey Issues and Outlook\n\nFor European posts, authentication is at the heart of the development for eMailboxes\nand other digital applications, including eGovernment and hybrid (digital-physical) mail\noptions. There is a wide divergence between the authentication systems in use. Final\ndesign drivers are based on local circumstances and legislation around eSignatures. If\nthird party identities are valid and useable, they should be considered as an alternative\nor complement to in-house processes. For example, four Nordic countries leverage the\nauthenticated identities used in the banking system.\n\n    \xef\x82\xa7   Finland\xe2\x80\x99s protocol is the simplest, with users continuing to use their banking ID as\n        a user name or choosing a new username and password.\n\n    \xef\x82\xa7   Denmark uses the banking identity initially and then changes it to a higher level\n        of authentication.\n\nSwitzerland operates two systems: one is fairly straightforward, and the other is unique,\nwhere users hold a hard certificate in a token (USB stick).\n\nMarket Directions\n\nThere is increasing discussion on providing differentiated levels of authentication and\ncredentials based on the level of services accessed. Thus, light authentication could be\nused for simple eMailbox access, with more rigorous authentication if payment or\naccess to eGovernment services is part of the transaction.\n\nAuthentication for eMailboxes and other applications is likely to remain tied to banking\napplications where possible. OpenID standards are not likely to be adopted unless they\nare accepted and used by the banking sector.\n\nThere is growing interest in using mobile phones as a delivery channel. In addition,\nEuropean posts are reviewing bio-metric authentication methods. These are currently\nnot proven or used techniques for digital identity authentication.\n\nSee Table 1 for detailed information on how authentication is handled by five European\nposts.\n\n\n\n\n                                                         23\n\x0cU.S. Postal Service Office of Inspector General                                                      May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                            RARC-WP-12-011\n\n                         Table 1: Examples of Digital Identity Models in Europe*\n\nPostal              Name of\n                                    Overview                                            Verification Method\nOperator            Service\nPost Nord           eBoks           Authentication utilizes banking ID, legal      Online via banking\n(Denmark)                           address, and social security number. User      information.\n                                    name is social security number with self-\n                                    selected password. One-time scratch code\n                                    card is delivered to home phyiscal address for\n                                    multi-factor process.\n\nItella Post         NetPosti     Two ways to register: through bank identity Online via bank process,\n(Finland)                        or national chip card. Also can register at Post utilizing social security\n                                 Office.                                          number or in-person\n                                                                                  with issuance of one-\n                                                                                  time password.\nDeutsche Post EPostBrief         Uses Deutsche Post\'s own "Postident" on-line In-person, validated\n(Germany)                        certification process.                           against Government\n                                                                                  databases.\nPoste Italiane      Poste        Uses Poste Italiane\'s own on-line certification In-person, validated\n(Italy)             mailbox      process.                                         against government tax\n                                                                                  codes and social\n                                                                                  security number.\nSwiss Post          Swiss Sign   Online registration and validation against       In-person.\n(Switzerland)                    national data bases. Creates legal Public Key\n                                 Infrastructure-based electronic certificate for\n                                 digital signature. Certificate offered in\n                                 computer neutral USB token which\n                                 authenticates digital signature and allows\n                                 remote application management and\n                                 upgrading.\n*Digital identity processes used for eMailbox registration\n\nSource: Strategia Group and decision/analysis partners, in cooperation with the U.S. Postal Service Office\nof Inspector General, 2012\n\n\n\n\n                                                         24\n\x0cU.S. Postal Service Office of Inspector General                                                      May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                            RARC-WP-12-011\n\n\n\n\nAppendix B                Commonly Used Terms\n\nTerm                      Description\n\nAMS                       The U.S. Postal Service\xe2\x80\x99s Address Management System, which is a\n                          proprietary database of all addresses and addresses in the U.S.\nAttributes                Descriptions of characteristics; details or components of online identities.\nAuthentication            The process of establishing confidence in the identity of users or\n                          information systems.\nDigital Identity          Collection of attributes related to a specific person or organization within\n                          a given context, either fact-based or fictional.\nIdentity Ecosystem        A set of technologies, policies, and agreed upon standards that securely\n                          support communications and transactions. Key attributes of the Identity\n                          Ecosystem include privacy, convenience, efficiency, ease-of-use,\n                          security, confidence, innovation, and choice.\nIdentity Provider         An organization that issues a digital identity.\nIntermediary              Same as Trusted Third Party. See below.\nNCOA                      The U.S. Postal Service\xe2\x80\x99s National Change of Address System is a\n                          registry of addresses for individuals, businesses and organizations who\n                          have moved or changed addresses in the U.S.\nNSTIC                     National Strategy for Trusted Identities in Cyberspace, a White House\n                          initiative to develop a more secure identity ecosystem, involving public,\n                          private, and nonprofit organizations.\nOpenID                    A decentralized single sign-on solution initially developed in 2005 and\n                          under continuous revision. Open ID technology has protocols for attribute\n                          exchange among digital entities and uses standard software.\nPhishing                  An attack in which the user is lured and tricked (usually through an e-\n                          mail) into interacting with a counterfeit Verifier or Relying Party and\n                          revealing attributes of user identity.\nRelying Parties           Organizations that rely on an identity issued by another entity.\nSingle Sign-On            An authentication process that allows a user to enter one name and\n                          password to access multiple online applications from different\n                          organizations.\nToken                     A physical object used to access digital information by an authorized\n                          user.\nTrust Framework           Certification program enabling a party who accepts a digital identity\n                          credential to trust the identity, security, and privacy policies of the party\n                          issuing the credential and vice versa.\nTrusted Third Party       An entity that authenticates user identity (through verification of attributes)\n                          and that is not otherwise participating in the communication or\n                          transaction.\nVerification              The process of establishing confidence in attributes of users or\n                          information systems.\n\nSources:   U.S. Postal Service Office of Inspector General Risk Analysis Research Center (RARC), National\n           Institute of Standards and Technology (NIST), National Strategy for Trusted Identities in Cyberspace\n           (NSTIC).\n\n\n\n\n                                                         25\n\x0cU.S. Postal Service Office of Inspector General                                                       May 29, 2012\nDigital Identity: Opportunities for the Postal Service                                             RARC-WP-12-011\n\n\n\nAppendix C                 Levels of Authentication\n\nFollowing are excerpts from the requirements for each of the four levels of\nauthentication assurance as defined by the National Institute of Standards and\nTechnology (NIST): 36\n\n         \xe2\x80\xa6the party to be authenticated is called a Claimant and the party verifying\n         that identity is called a Verifier. When a Claimant successfully\n         demonstrates possession and control of a token to a Verifier through an\n         authentication protocol, the Verifier can verify that the Claimant is the\n         Subscriber named in the corresponding credential. The Verifier passes on\n         an assertion about the identity of the Subscriber to the Relying Party. 37\n\nLevels 1 and 2 provide the lightest authentication, which may involve pseudonyms\n(false names). In most cases, only verified names may be specified in credentials and\nassertions at Levels 3 and 4:\n\nLevel 1\nAlthough there is no identity proofing at this level, the authentication mechanism\nprovides some assurance that the same Claimant who participated in previous\ntransactions is accessing the protected transaction or data. Since identity proofing is not\nrequired, names and credentials and assertions are assumed to be pseudonyms.\n\nLevel 2\nLevel 2 provides single factor remote network authentication. At Level 2, identity\nproofing requirements are introduced, requiring presentation of identifying materials or\ninformation, although the credential may assert a pseudonym. A wide range of available\nauthentication technologies can be employed.\n\nLevel 3\nLevel 3 provides multi-factor remote network authentication. At least two authentication\nfactors are required. At this level, identity proofing procedures require verification of\nidentifying materials and information.\n\nLevel 4\nLevel 4 is intended to provide the highest practical remote network authentication\nassurance. Level 4 is based on proof of a possession of a key through a cryptographic\nprotocol. At this level, in-person identity proofing is required.\n\n\n\n\n36\n   National Institute of Standards and Technology, Electronic Authentication Guideline: Information Security, Special\nPublication 800-63-12011, December, 2011, http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf.\n37\n   Ibid., p. 17.\n\n\n                                                          26\n\x0c'